MCP: the flaw catching up with banks on agentic AI

On April 15, 2026, cybersecurity firm OX Security published a report documenting an architectural vulnerability in the Model Context Protocol (MCP), the open standard through which AI agents talk to external tools. The defect concerns the default "stdio" transport used by the official SDKs across Python, TypeScript, Java and Rust. The impact, as quantified by the researchers: up to 200,000 vulnerable instances, more than 150 million downloads of the affected packages, 10 CVEs already published, and 9 of 11 tested MCP directories compromised in a marketplace poisoning exercise.

On April 21, financial daily American Banker translated the story for the banking sector. JPMorgan Chase, Citi, BNY Mellon, PNC and Capital One are listed among the regular users of agentic AI in production. Anthropic's position, as cited by the researchers: the behavior is "expected", and securing user input is the developer's responsibility. In other words, the vendor considers the design consistent with intent and triggers no protocol-level patch.

The US legal stakes are well documented. A 2023 interagency notice signed by the Federal Reserve, the FDIC and the OCC reminds banks that "a banking organization's use of third parties does not diminish its responsibility" for safe operations. Translation: if an unpatched MCP flaw at Anthropic produces an incident at a bank, it is the bank that answers for it.

"Expected": one word that shifts liability

The word "expected" is the key. When a vendor labels a behavior as design-consistent, the event leaves the realm of bugs and enters the realm of operational risk that must be documented. A standard CVE is patched, closed, and filed in a release log. A design decision refuses to move.

That reverses the doctrine most risk managers still apply to software dependencies. The usual presumption: a serious vendor patches critical protocol vulnerabilities, you track versions, you document exceptions. With MCP, the patched version does not exist and never will. What exists are usage recommendations: use stdio "with caution", validate every input, restrict subprocess privileges. These recommendations transfer the load to the integrator. For a bank already running dozens of AI pilot teams, this is a mechanical multiplication of controls to formalize.

The political timing is tight. On April 10, 2026, Treasury Secretary Scott Bessent and Fed Chair Jerome Powell had already summoned the CEOs of Goldman Sachs, Citigroup, Morgan Stanley, Bank of America and Wells Fargo to discuss Anthropic's Mythos model and the cyber risks it raises. The European Central Bank is preparing similar questionnaires for euro-area banks. The regulatory backdrop is set: every major supervisor expects banks to maintain a current map of their MCP exposures. The OX Security disclosure therefore lands at the worst possible moment in the political cycle.

The third-party chain problem

The bank AI ecosystem looks less and less like a chain of vertical vendors. A bank buys a foundation model from OpenAI or Anthropic, exposes it through an MCP orchestration layer, plugs in open-source MCP servers to query Snowflake or Bloomberg, and ships the whole thing through assistants like Cursor, Claude Code or GitHub Copilot. All of these components appear in the OX Security list: LangFlow, GPT Researcher, Windsurf, Claude Code, Cursor, Gemini-CLI, GitHub Copilot. The attack surface does not stop at the bank's perimeter; it reaches into every npm or pip package the developer pulls in.

Three practical consequences.

First. Bank Software Bill of Materials (SBOM) practices are not adapted to this. Today's dependency inventories do not track stdio MCP usage on a per-project basis. IT risk teams will need to build a new transversal inventory, and quickly. The CVE map already published gives a starting point but only covers cataloged packages.

Second. Regional banks and fintechs are more exposed than the largest players. Carter Pape, who authored the American Banker piece, notes that fewer than 10% of banks actually run AI on critical production workloads. But those that crossed the line, like JPMorgan Chase with its 200,000 employees on LLM Suite, have a more visible footprint and a heavier systemic weight. The first public post-MCP incident will be scrutinized.

Third. OpenAI's competitive argument against Anthropic gets sharper. OpenAI announced in March 2026 a financial services suite that competes directly with Anthropic's. The MCP controversy gives OpenAI a natural commercial pitch in front of conservative banking accounts: an alternative protocol, or a native security layer with no stdio dependency.

What banks can do (and the limit)

The banking reflex is documented. The 2023 SR Letter on third-party risk management already defines the framework. In practice, three actions stand out.

Disable stdio by default and impose a controlled-privilege transport in its place (authenticated HTTP, named sockets with access control). Force a manual review of any subprocess command issued by an agent. Add an exhaustive logging layer for MCP calls, the precondition of any post-incident investigation.

The cost is not marginal. For a bank industrializing an AI copilot across thousands of users, these controls add a few hundred milliseconds of latency and require a review of every integration already deployed. And every month spent hardening infrastructure is a month not spent experimenting on business use cases. The 2026-2027 strategic window in which Wall Street is pushing AI hard is therefore narrowing for banks that take the topic seriously.

The deeper limit: no defensive measure fixes a design choice. Banks can route around stdio, they cannot rewrite Anthropic's stance on what vendor responsibility covers. If MCP becomes the de facto standard, the situation becomes structural. This is what regulators are starting to call AI vendor concentration risk, already flagged by the Bank of England's Financial Policy Committee in March 2026.

There is also a procurement asymmetry worth naming. Anthropic and its largest rivals negotiate enterprise contracts in which liability caps, indemnification scopes and security commitments are heavily lawyered. A bank's procurement team can fight for stronger language at signing; it has very little bargaining power once a model is embedded in a hundred internal workflows. The 2026 wave of MCP integrations was largely shipped through engineering teams chasing speed, not through procurement gating. Reversing that posture takes a board-level signal, and that signal usually arrives only after the first incident.

Seen from my desk

The Bloomberg Dashboard I built uses precisely the chain at issue: a Claude client that calls tools through MCP to parse company filings and extract ratios. At the scale of a personal project the stakes stay measured; the host machine is mine, and the generated commands are trivial. But the exercise has already taught me that AI agents produce tool calls whose phrasing regularly surprises the developer who shipped them.

When I join the Agence Francaise de Developpement (AFD) in September 2026 as an ALM apprentice, agent traceability will be on the operational risk team's radar. A development bank is not a high-frequency trader, but it remains responsible for credit validation, sovereign ratings and recovery processes, where a single untraced command injection would be unacceptable. The MSc Data & AI for Finance I start in September at Albert School was built precisely for this turning point, where finance can no longer treat models as an externalized black box.

Take-away

The MCP flaw will not break a bank tomorrow morning. It will, however, force every risk committee to ask one simple question: for every AI agent in production, who carries the legal liability for the next incident? Until that question has a written answer, Anthropic's "expected" remains the posture of a bank carrying an exposure it has not yet quantified.